Shadowlock: Building Better Ransomware

As someone who has probably written the word “survey” about nineteen billion times since 2008, anything new involving said scam is always going to catch my eye. Malware authors have been creating survey Ransomware for some time now – here’s one example from December 2012, here’s a basic one from 2011(!) – and here’s a more recent example, an underground advert offering services relating to building our survey launching hijackers.

As you may have seen in the news courtesy of our friends at Symantec, there’s a current infection doing the rounds called “Shadowlock“, which – as you’d expect – locks users out with a survey. Bizarrely, it also plays music from Close Encounters of the Third Kind and opens CD trays. I was curious as to whether or not this was a custom build, or put together with a DIY kit (and if so, which one – there are a number of slick, well made apps and also a lot of fake imitations and Malware).

There are a few clues in the Symantec writeup to go on, and below you can see what we’ve pieced together based on the evidence currently in the public domain.

1) The popup box can be “moved around the desktop”, and displays a very specific message.

This popup box – complete with a near-identical message – has been seen before (December 2012, in a writeup about Ransomware Survey DIY kits):

Below is a picture of a DIY builder, taken from a series of shots posted to an underground forum – most likely, an updated version of the builder from Xylit0l’s December 2012 blog entry which allows would-be desktop hijackers to make their own Ransomware Trojan. When choosing options for your desktop Ransomware, it lets you disable any or all of the listed functions (the ones related to Shadowlock are ticked off below so you can see them more clearly):

Click to Enlarge

3) While the text from the screenshot in 1) differs slightly to the text in the Symantec writeup – presumably because it is from an earlier build – the text in a more recent version matches the text in the Symantec blog entry bar one word (a missing “you’ll”, highlighted in bold below):

Click to Enlarge

Here are all three versions:

Xylit0l’s December 2012 Blog

Please fill in a short survey in order to close this application.You will also be able to use your computer as before.Don’t do this, and you’ll see what happens.Thank you for your understanding.

Shadowlock:

Please complete a survey in order to unlock your computer.Everything will be as before when you unlock your PC.Don’t do this, and you’ll see what happens.Thank you for your cooperation.

Builder screenshot:

Please complete a survey in order to unlock your computer.Everything will be as before when you unlock your PC.Don’t do this, and see what happens.Thank you for your cooperation.

4) .NET 2.0 is required at a minimum in order for Shadowlock to function correctly. In the case of the above builder, .NET 2.0 is required at a minimum for both builder and slave to function correctly.

5) Shadowlock causes the CD tray to open, can switch mouse buttons and play some Close Encounters music. It can also kill most popular browsers, such as Firefox, Chrome, Internet Explorer, Safari and Opera. “Crazy CD drive” is listed in the screenshot under 2), and here’s the rest including the mouse button switch:

Click to Enlarge

The only thing missing is the Close Encounters music. There is an option for “Play beep song” and “Crazy sound”, so perhaps Close Encounters is a beeping MIDI phenomenon or a version of the builder allows you to include a song of choice. While we can’t say with 100% certainty how Shadowlock came to be, I’d suggest there’s a strong case for the above being a potential chain of events in the creation of everybody’s favourite music playing Malware.

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.

Please i need help i have gotten one of these. it says “Please Complete a Quick Offer to download and in a black space in the buttom of the popup it says “Unlock code” with a space to enter the code. under it there are two buttons, Site and Vertify. to the buttom right it shows a message saying: Please complete a survey in order to unlock your computer. Everything will be as before when you unlock your PC. Don’t do this, and you’ll see what happens. Thank you for your cooperation.